Bug#689074: ruby1.9.1: RubyGems should use ca-certificates for SSL verification

Fri, 28 Sep 2012 14:57:19 -0700 

Package: ruby1.9.1
Version: 1.9.3.194-1
Severity: normal
Tags: patch
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu quantal ubuntu-patch

Dear Maintainer,

While I was preparing an Ubuntu ruby1.9.1 update for CVE-2012-2126, I
noticed that ruby1.9.1-1.9.3.194-1 included its own trusted CA
certificate bundle, rather than using the bundle from ca-certificates,
to do server certificate verification in the gem fetcher.

In Ubuntu, the attached patch was applied to achieve the following:

  * Make the RubyGems fetcher use distro-provided ca-certificates
    (LP: #1057926)
    - debian/control: Add ca-certificates to libruby1.9.1 depends so that
      rubygems can perform certificate verification
    - debian/rules: Don't install SSL certificates from upstream sources
    - debian/patches/20120927-rubygems_disable_upstream_certs.patch: Use
      /etc/ssl/certs/ca-certificates.crt for the trusted CA certificates.


Thanks for considering the patch.


-- System Information:
Debian Release: wheezy/sid
  APT prefers quantal-updates
  APT policy: (500, 'quantal-updates'), (500, 'quantal-security'), (500, 
'quantal')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.5.0-15-generic (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

diff -Nru ruby1.9.1-1.9.3.194/debian/changelog ruby1.9.1-1.9.3.194/debian/changelog
diff -Nru ruby1.9.1-1.9.3.194/debian/control ruby1.9.1-1.9.3.194/debian/control
--- ruby1.9.1-1.9.3.194/debian/control	2012-05-27 15:47:25.000000000 -0700
+++ ruby1.9.1-1.9.3.194/debian/control	2012-09-28 14:29:00.000000000 -0700
@@ -29,7 +29,7 @@
 Package: libruby1.9.1
 Section: libs
 Architecture: any
-Depends: ${shlibs:Depends}, ${misc:Depends}
+Depends: ca-certificates, ${shlibs:Depends}, ${misc:Depends}
 Conflicts: libdbm-ruby1.9.1, libgdbm-ruby1.9.1, libreadline-ruby1.9.1, libopenssl-ruby1.9.1, irb1.8 (<< 1.9.1.378-2~), rdoc1.8 (<< 1.9.1.378-2~)
 Replaces: libdbm-ruby1.9.1, libgdbm-ruby1.9.1, libreadline-ruby1.9.1, libopenssl-ruby1.9.1, irb1.8, rdoc1.8
 Provides: libdbm-ruby1.9.1, libgdbm-ruby1.9.1, libreadline-ruby1.9.1, libopenssl-ruby1.9.1
diff -Nru ruby1.9.1-1.9.3.194/debian/patches/20120927-rubygems_disable_upstream_certs.patch ruby1.9.1-1.9.3.194/debian/patches/20120927-rubygems_disable_upstream_certs.patch
--- ruby1.9.1-1.9.3.194/debian/patches/20120927-rubygems_disable_upstream_certs.patch	1969-12-31 16:00:00.000000000 -0800
+++ ruby1.9.1-1.9.3.194/debian/patches/20120927-rubygems_disable_upstream_certs.patch	2012-09-28 00:09:07.000000000 -0700
@@ -0,0 +1,30 @@
+Description: Use the certificates maintained by the distro
+ Rather than using the certificates packaged in the upstream sources to verify
+ server SSL certificates, use the certificates provided by the ca-certificates
+ package.
+Author: Tyler Hicks <tyhi...@canonical.com>
+Forwarded: not-needed
+Index: ruby1.9.1-1.9.3.194/lib/rubygems/remote_fetcher.rb
+===================================================================
+--- ruby1.9.1-1.9.3.194.orig/lib/rubygems/remote_fetcher.rb	2012-09-27 10:48:23.046684546 -0700
++++ ruby1.9.1-1.9.3.194/lib/rubygems/remote_fetcher.rb	2012-09-27 10:48:42.590685014 -0700
+@@ -8,7 +8,7 @@
+ 
+ class Gem::RemoteFetcher
+ 
+-  BuiltinSSLCerts = File.expand_path("./ssl_certs/*.pem", File.dirname(__FILE__))
++  BuiltinSSLCerts = "/etc/ssl/certs/ca-certificates.crt"
+ 
+   include Gem::UserInteraction
+ 
+@@ -354,8 +354,8 @@
+   end
+ 
+   def add_rubygems_trusted_certs(store)
+-    Dir.glob(BuiltinSSLCerts).each do |ssl_cert_file|
+-      store.add_file ssl_cert_file
++    if File.file? BuiltinSSLCerts
++      store.add_file BuiltinSSLCerts
+     end
+   end
+ 
diff -Nru ruby1.9.1-1.9.3.194/debian/patches/series ruby1.9.1-1.9.3.194/debian/patches/series
--- ruby1.9.1-1.9.3.194/debian/patches/series	2012-05-27 15:46:34.000000000 -0700
+++ ruby1.9.1-1.9.3.194/debian/patches/series	2012-09-28 00:32:14.000000000 -0700
@@ -16,3 +16,5 @@
 110829-hurd_dirent_usage.patch
 hurd-path-max.diff
 20120517-r35434.patch
+20120927-rubygems_disable_upstream_certs.patch
diff -Nru ruby1.9.1-1.9.3.194/debian/rules ruby1.9.1-1.9.3.194/debian/rules
--- ruby1.9.1-1.9.3.194/debian/rules	2012-06-02 03:35:36.000000000 -0700
+++ ruby1.9.1-1.9.3.194/debian/rules	2012-09-28 00:09:07.000000000 -0700
@@ -170,7 +170,8 @@
 	    for f in libruby-$(ruby_ver).so.$(ruby_ver) libruby-$(ruby_ver).so.$(ruby_ver_major); do \
 		echo usr/lib/$$f; \
 	    done) | xargs dh_movefiles -p$(cdbs_curpkg) 
-	dh_movefiles -p$(cdbs_curpkg) $(ruby_libdir)
+	# Do not install the SSL certs bundled in the upstream source
+	dh_movefiles -p$(cdbs_curpkg) -Xssl_certs $(ruby_libdir)
 
 	cd $(DEB_SRCDIR)/ext && \
 	for dir in \

Reply via email to